rastrea2r: Collecting & Hunting for IOCs with gusto and style

by do son · Published August 6, 2018 · Updated August 6, 2018

Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced “rastreador” – hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), it can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, it can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with ‘gusto’ and style!

Install

$git clone https://github.com/rastrea2r/rastrea2r.git



$make venv

$source /Users/ssbhat/.venvs/rastrea2r/bin/activate

$cd src/rastrea2r/server/

$python rastrea2r_server_v0.3.py

Bottle v0.12.13 server starting up (using WSGIRefServer())...

Listening on http://0.0.0.0:8080/$cd src/rastrea2r/server/

Executing rastrea2r on Windows

Use

$python rastrea2r_osx_v0.3.py -h

usage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} ...



Rastrea2r RESTful remote Yara/Triage tool for Incident Responders



positional arguments:  {yara-disk,yara-mem,triage}



modes of operation

 yara-disk           Yara scan for file/directory objects on disk

 yara-mem            Yara scan for running processes in memory

 triage              Collect triage information from endpoint



optional arguments:

 -h, --help            show this help message and exit

 -v, --version         show program's version number and exit





Further more, the available options under each command can be viewed by executing the help option. i,e



$python rastrea2r_osx_v0.3.py yara-disk -h

usage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rule



positional arguments:

path          File or directory path to scan

server        rastrea2r REST server

rule          Yara rule on REST server



optional arguments:

-h, --help    show this help message and exit

-s, --silent  Suppresses standard output

Demo

Copyright (c) 2018 rastrea2r

Source: https://github.com/rastrea2r/

rastrea2r: Collecting & Hunting for IOCs with gusto and style

Search

Brilliantly

Content & Links